Comment by PeterisP a day ago
If someone would do the thing-to-be-detected (e.g. accessing CSAM) every day, then that 0.14% probability of detection turns out to be 40% for a single year (0.9986^365) or 64% over two years, so even that would deanonymize the majority of such people over time.
My point is that it doesn't require "vast resources". A VPS is $5 a month. A thousand of them would be in the disposable income budget of a single FAANG engineer never mind a nation state.
Pay people on Fiverr to set them up for you at different ISPs so that all the setup information is different. You can use crypto to pay if you want anonimity (this is actually the main reason I used to use bitcoin - I'd pay ISPs in Iceland to run TOR exit nodes for me without linking them to my identity).
This isn't a difficult problem. A single individual with a good job could do it.
And sure, each connection only has a very small chance of being found, but aggregate it over a year or two and you could catch half of the users of a site if they connected with a new circuit one time per day.
I honestly can't see why a nation state or two hasn't already done this.
> A VPS is $5 a month.
With insignificant data caps. To get the data needed I believe you're looking at a couple hundred a month, to start.
And if you BYOIP, and run a large node, Tor volunteers will try to contact you and verify...
But it doesn't seem unfeasible for a state actor that wants to track their population then?
What detection? A malicious node is only different from a non-malicious node because all the traffic is being logged. If that's our definition of a malicious node in this case then there is no way to detect one.
>What detection?
Not speaking to the effectiveness of the detection (it's hard!), but there's information available, for example:
https://blog.torproject.org/malicious-relays-health-tor-netw...
https://gitlab.torproject.org/tpo/network-health/team/-/wiki...
https://gitlab.torproject.org/tpo/network-health/team/-/wiki...
I can't think of anyone with vast resources and time that would want to deanonymize cybercriminals
Outside of 3 letter agencies which is obvious, I have known people who would do this for fun or whatever other personal motivation.
A lot of "hacker" mentality projects involve putting a tremendous amount of effort into something with questionable utility.
People climb mountains because they're there.
The attack Germany is thought to have actually used was to flood the network with middle nodes and wait until the victim connects to their middle node. Then, it knows the guard node's IP. Then, it went to an ISP and got logs for everyone who connected to that IP.
technicly this is the only comment in this chain that is relevant to the featured article, but it's technicly so incomplete that it's almost wrong, I can tell from having read the thread and knowing next to nothing else about how TOR works.
They don't have plausible evidence to subpoena the guard node if a middle node only sees encrypted traffic. They would also need to control the exit nodes which communicate with the target's host or they simply control the host as a honeypot.
That assumes you could run thousands of malicious tor nodes for several years without being detected. Unless you have vast resources and time, this is unlikely.